ClawHub

Skylv Note Linking

Security checks across malware telemetry and agentic risk

Overview

The skill matches its note-linking purpose, but it can recursively read and automatically modify a user's notes without a clear confirmation or rollback step.

Install only if you are comfortable with a local tool recursively reading your notes and, in obsidian export mode, editing them automatically. Run it first on a copy or small test folder, keep backups, prefer JSON/Mermaid/list-style outputs for review, and avoid using it on sensitive vaults unless you have checked the generated links and cache behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script is presented as an export utility, but in obsidian mode it directly edits source note files by appending related links. That creates integrity risk because running a seemingly read/export operation can silently alter user content, potentially corrupt notes, introducing unwanted links, or causing cascading changes if the export is automated.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file header claims the script exports the knowledge graph, but the implementation also modifies notes on disk. This mismatch is security-relevant because users and calling agents may grant the script broader trust than intended, leading to unexpected state changes from what appears to be a non-destructive operation.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README suggests broad natural-language invocation phrases like "link my notes" and "find connections in my notes," which are generic enough to overlap with ordinary user conversation. In an agent environment, this can cause unintended skill activation on sensitive note directories without a clearly scoped command, increasing the chance of surprise file access or note processing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that notes can be "Auto-link[ed]" and that the tool "Writes new links in Obsidian format," but it does not prominently warn users that their note files may be modified. In a notes-processing skill, silent or poorly disclosed file modification is risky because users may run it on personal knowledge bases and lose trust, overwrite content, or introduce unwanted links at scale.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad, including common requests like organizing scattered notes or asking what relates to a topic, which could cause the skill to activate unintentionally. In a skill that recursively reads notes and may modify files, accidental activation can expose private content to analysis and trigger unwanted writes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes automatic note modification, including auto-link insertion for high-confidence matches, without any explicit warning, preview, or confirmation step. Silent modification of user notes is risky because it can corrupt documentation, introduce inaccurate links at scale, and alter trusted knowledge bases without clear user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script appends auto-links to source notes without confirmation, preview, or upfront warning. In a note-linking skill context this is especially risky because users may run it over an entire workspace, causing widespread unsolicited content modification and making it difficult to distinguish tool-generated edits from intentional note content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill writes derived note relationship metadata to a predictable temp-file path (`TEMP` or `/tmp`) without user disclosure or access controls. On multi-user systems or shared environments, this can expose sensitive note names, paths, topics, and relationship structure to other local users or processes, and the predictable cache location also increases risk of tampering or unintended reuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal